Securing and Optimizing Linux RedHat Edition phần 8 pot

Server Software Database Network Services 1 CHAPTER 7 The “rm” command will remove all the source files we have used to compile and install PostgreSQL.. The server configuration files

Trang 1

Server Software (Database Network Services) 1

Trang 2

Trang 3

CHAPTER 7 Linux PostgreSQL Database Server

Overview

Once you begin to serve, and supply services to your customers, you’ll inevitably find that you need to keep information about them in an archive to be accessible and modifiable at any time, should you want it These tasks can be accomplished with the use of a database Many

databases are available on Linux; Choosing one can be complicated, as it must be able to

support a number of programming languages, standards and features PostgreSQL, developed originally in the UC Berkeley Computer Science Department, pioneered many of the object-relational concepts now becoming available in commercial databases It provides SQL92/SQL3 language support, transaction integrity, and type extensibility

As explained on the PostgreSQL web site:

PostgreSQL is a sophisticated Object-Relational DBMS, supporting almost all SQL constructs, including subselects, transactions, and user-defined types and functions It is the most advanced open-source database available anywhere

These installation instructions assume

Commands are Unix-compatible

The source path is “/var/tmp” (other paths are possible)

Installations were tested on Red Hat Linux 6.1 and 6.2

All steps in the installation will happen in super-user account “root”

PostgreSQL version number is 6.5.3

Trang 4

• To install egcs-c++-version.i386.rpm, use the following command:

[root@deep /]# mount /dev/cdrom /mnt/cdrom

[root@deep /]# cd /mnt/cdrom/RedHat/RPMS

[root@deep RPMS]# rpm -Uvh egcs-c++-version.i386.rpm

egcs-c++ ##################################################

Tarballs

It is a good idea to make a list of files on the system before you install it, and one afterwards, and

then compare them using ‘diff’ to find out what file it placed where Simply run ‘find /* >

PostgreSQL1’ before and ‘find /* > PostgreSQL2’ after you install the tarball, and use ‘diff PostgreSQL1 PostgreSQL2 > PostgreSQL-Installed’ to get a list of what changed

Compilation

Decompress the tarball (tar.gz)

[root@deep /]# cp postgresql-version.tar.gz /var/tmp

[root@deep /]# cd /var/tmp

[root@deep tmp]# tar xzpf postgresql-version.tar.gz

Compile and Optimize

Step 1

First of all, to avoid security risks, we’ll create an unprivileged user account named “postgres” to

be the owner of the Postgres files

• To create the Postgres account, use the following command:

[root@deep /]# useradd -M -o -r -d /var/lib/pgsql -s /bin/bash -c "PostgreSQL Server" -u 40 postgres >/dev/null 2>&1 || :

This tells PostgreSQL to set itself up for this particular hardware setup with:

- Enable locale support

Edit the Makefile.global file (vi +210 Makefile.global) and change the line:

Trang 5

Now, we must compile and install PosgreSQL on to the server:

[root@deep src]# make all

[root@deep src]# cd

[root@deep postgresql-6.5.3]# make -C src install

[root@deep postgresql-6.5.3]# make -C src/man install

[root@deep postgresql-6.5.3]# mkdir -p /usr/include/pgsql

[root@deep postgresql-6.5.3]# mv /usr/include/access /usr/include/pgsql/

[root@deep postgresql-6.5.3]# mv /usr/include/commands /usr/include/pgsql/

[root@deep postgresql-6.5.3]# mv /usr/include/executor /usr/include/pgsql/

[root@deep postgresql-6.5.3]# mv /usr/include/lib /usr/include/pgsql/

[root@deep postgresql-6.5.3]# mv /usr/include/libpq /usr/include/pgsql/

[root@deep postgresql-6.5.3]# mv /usr/include/libpq++ /usr/include/pgsql/

[root@deep postgresql-6.5.3]# mv /usr/include/port /usr/include/pgsql/

[root@deep postgresql-6.5.3]# mv /usr/include/utils /usr/include/pgsql/

[root@deep postgresql-6.5.3]# mv /usr/include/fmgr.h /usr/include/pgsql/

[root@deep postgresql-6.5.3]# mv /usr/include/os.h /usr/include/pgsql/

[root@deep postgresql-6.5.3]# mv /usr/include/config.h /usr/include/pgsql/

[root@deep postgresql-6.5.3]# mv /usr/include/c.h /usr/include/pgsql/

[root@deep postgresql-6.5.3]# mv /usr/include/postgres.h /usr/include/pgsql/

[root@deep postgresql-6.5.3]# mv /usr/include/postgres_ext.h /usr/include/pgsql/

[root@deep postgresql-6.5.3]# mv /usr/include/libpq-fe.h /usr/include/pgsql/

[root@deep postgresql-6.5.3]# mv /usr/include/libpq-int.h /usr/include/pgsql/

[root@deep postgresql-6.5.3]# mv /usr/include/ecpgerrno.h /usr/include/pgsql/

[root@deep postgresql-6.5.3]# mv /usr/include/ecpglib.h /usr/include/pgsql/

[root@deep postgresql-6.5.3]# mv /usr/include/ecpgtype.h /usr/include/pgsql/

[root@deep postgresql-6.5.3]# mv /usr/include/sqlca.h /usr/include/pgsql/

[root@deep postgresql-6.5.3]# mv /usr/include/libpq++.H /usr/include/pgsql/

[root@deep postgresql-6.5.3]# mkdir -p /usr/lib/pgsql

[root@deep postgresql-6.5.3]# mv /usr/lib/*source /usr/lib/pgsql/

[root@deep postgresql-6.5.3]# mv /usr/lib/*sample /usr/lib/pgsql/

[root@deep postgresql-6.5.3]# mkdir -p /var/lib/pgsql

[root@deep postgresql-6.5.3]# chown -R postgres.postgres /var/lib/pgsql/

[root@deep postgresql-6.5.3]# chmod 755 /usr/lib/libpq.so.2.0

[root@deep postgresql-6.5.3]# chmod 755 /usr/lib/libecpg.so.3.0.0

[root@deep postgresql-6.5.3]# chmod 755 /usr/lib/libpq++.so.3.0

[root@deep postgresql-6.5.3]# strip /usr/bin/postgres

[root@deep postgresql-6.5.3]# strip /usr/bin/postmaster

[root@deep postgresql-6.5.3]# strip /usr/bin/ecpg

[root@deep postgresql-6.5.3]# strip /usr/bin/pg_id

[root@deep postgresql-6.5.3]# strip /usr/bin/pg_version

[root@deep postgresql-6.5.3]# strip /usr/bin/pg_dump

[root@deep postgresql-6.5.3]# strip /usr/bin/pg_passwd

[root@deep postgresql-6.5.3]# strip /usr/bin/psql

[root@deep postgresql-6.5.3]# rm -f /usr/lib/global1.description

[root@deep postgresql-6.5.3]# rm -f /usr/lib/local1_template1.description

The “make” command compiles all source files into executable binaries, and the “make install” command installs the binaries and any supporting files into the appropriate locations The “mkdir”

will create a new directory named “pgsql” under the “/usr/include” and “/usr/lib” directories, and

Trang 6

The “rm” command will remove the “global1.description” and ”local1_template1.description” files

that are not needed by our PosgreSQL program

Create the database installation from your Postgres superuser account

Once PostgreSQL is installed on your Linux server, it’s important to create the database

installation before starting your PostgreSQL server

• To create the database installation, use the following command:

[root@deep /]# su postgres

[postgres@deep /]$ initdb pglib=/usr/lib/pgsql pgdata=/var/lib/pgsql

We are initializing the database system with username postgres (uid=40)

This user will own all the files and must also own the server process

Creating Postgres database system directory /var/lib/pgsql/base

Creating template database in /var/lib/pgsql/base/template1

Creating global classes in /var/lib/pgsql/base

Adding template1 database to pg_database

Vacuuming template1

Creating public pg_user view

Creating view pg_rules

Creating view pg_views

Creating view pg_tables

Creating view pg_indexes

NOTE: Do not create the database installation as “root”! This would be a major security hole

Cleanup after work

[root@deep tmp]# rm -rf postgresql-version/ postgresql-version.tar.gz

Remove the egcs-c++-version.i386.rpm package to save space

[root@deep /]# rpm -e egcs-c++

Trang 7

CHAPTER 7

The “rm” command will remove all the source files we have used to compile and install

PostgreSQL It will also remove the PostgreSQL compressed archive from the “/var/tmp”

directory

The “rpm -e” command will remove the egcs-c++ package we installed to compile the PosgreSQL Server Note that the egcs-c++ package is required only for compiling programs like PostgreSQL and can be uninstalled safely after successful compilation of PostgreSQL

Configurations

All software we describe in this book has a specific directory and subdirectory in a tar

compressed archive named “floppy.tgz” containing file configurations for specific programs If you get this archive file, you won’t be obliged to reproduce the different configuration files below, manually, or cut and paste them to create your configuration files Whether you decide to

manually copy them, or get the files made for your convenience from the archive, it will be your responsibility to modify, adjust for your needs and place the files related to the PostgreSQL software in the appropriate places on your server, as shown below The server configuration files archive to download is located at the following Internet address:

http://www.openna.com/books/floppy.tgz

• To run PostgreSQL Database server, the following file is required and must be created or copied to the appropriate directory on your server

Copy the postgresql script file to the “/etc/rc.d/init.d/” directory

You can obtain the configuration files listed below on our floppy.tgz archive Copy the following files from the decompressed floppy.tgz archive to the appropriate places, or copy and paste them directly from this book to the concerned file

Configuration of the “/etc/rc.d/init.d/postgresql” script file

Configure your “/etc/rc.d/init.d/postgresql” script file to start and stop PostgreSQL Server

Create the postgresql script file (touch /etc/rc.d/init.d/postgresql) and add:

#! /bin/sh

# postgresql This is the init script for starting up the PostgreSQL

# server

# chkconfig: 345 85 15

# description: Starts and stops the PostgreSQL backend daemon that handles \

# all database requests

# Check that networking is up

# Pretty much need it for postmaster

[ ${NETWORKING} = "no" ] && exit 0

[ -f /usr/bin/postmaster ] || exit 0

Trang 8

CHAPTER 7

# This script is slightly unusual in that the name of the daemon (postmaster)

# is not the same as the name of the subsystem (postgresql)

# See how we were called

case "$1" in

start)

echo -n "Checking postgresql installation: "

# Check for the PGDATA structure

if [ -f /var/lib/pgsql/PG_VERSION ] && [ -d /var/lib/pgsql/base/template1 ]

then

# Check version of existing PGDATA

if [ `cat /var/lib/pgsql/PG_VERSION` != '6.5' ]

then

echo "old version Need to Upgrade."

echo "See /usr/doc/postgresql-6.5.2/README.rpm for more information."

echo -n "Starting postgresql service: "

su -l postgres -c '/usr/bin/postmaster -i -S -D/var/lib/pgsql'

Trang 9

Now, make this script executable and change its default permissions:

[root@deep /]# chmod 700 /etc/rc.d/init.d/postgresql

Create the symbolic rc.d links for PostgreSQL with the command:

[root@deep /]# chkconfig add postgresql

Start your new PostgreSQL server manually with the following command:

[root@deep /]# /etc/rc.d/init.d/postgresql start

Checking postgresql installation: looks good!

Starting postgresql service: postmaster [22401]

Enter name of user to add -> admin

Enter user's postgres ID or RETURN to use unix user ID: 500 ->

Is user "admin" allowed to create databases (y/n) y

Is user "admin" a superuser? (y/n) y

createuser: admin was successfully added

• To remove a user in your database, run the destroyuser utility program:

[postgres@deep /]$ destroyuser

Enter name of user to delete -> admin

destroyuser: delete of user admin was successful

• To create a new database, run the createdb utility program:

[postgres@deep /]$ createdb dbname (dbname is the name of the database).

or with the Postgres terminal monitor program (psql)

[root@deep /]# su admin

[admin@deep /]$ psql template1

Welcome to the POSTGRESQL interactive sql monitor:

Please read the file COPYRIGHT for copyright terms of POSTGRESQL

[PostgreSQL 6.5.3 on i686-pc-linux-gnu, compiled by egcs ]

Trang 10

CHAPTER 7

type \? for help on slash commands

type \q to quit

type \g or terminate with semicolon to execute query

You are currently connected to the database: template1

template1 create database foo;

CREATEDB

NOTE: Client connections can be restricted by IP address and/or user name via the

“pg_hba.conf” file in PG_DATA

Other useful Postgres terminal monitor program commands (psql) are:

• To connect to the new database, use the command:

template1 \c foo

connecting to new database: foo

foo

• To create a table, use the command:

foo create table bar (i int4, c char(16));

• To drop a table, index, view, use the command:

foo drop table table_name;

foo drop index index_name;

foo drop view view_name;

• To insert into: (once a table is created, it can be filled using the command…)

foo insert into table_name (name_of_attr1, name_of_attr2, name_of_attr3)

foo values (value1, value2, value3);

Trang 11

Trang 12

Trang 13

Chapter 18 Server Software (Proxy Network Services)

In this Chapter

Linux Squid Proxy Server

Using GNU malloc library to improve cache performance of Squid

Configurations

Securing Squid

Optimizing Squid

The cachemgr.cgi program utility of Squid

The Netscape Proxies Configuration for Squid

Trang 14

Server Software (Proxy Network Services) 1

CHAPTER 8 Linux Squid Proxy Server

Derived from the “cached” software from the ARPA-funded Harvest research project, developed

at the National Laboratory for Applied Network Research and funded by the National Science Foundation, Squid offers high-performance caching of web clients, and also supports FTP, Gopher, and HTTP data objects It stores hot objects in RAM, maintains a robust database of objects on disk, has a complex access control mechanism, and supports the SSL protocol for proxying secure connections In addition, it can be hierarchically linked to other Squid-based proxy servers for streamlined caching of pages

In our compilation and configuration we’ll configure Squid to run as an httpd-accelerator to get more performance out of our web server In accelerator mode, the Squid server acts as a reverse proxy cache: it accepts client requests, serves them out of cache, if possible, or requests them from the origin server for which it is the reverse proxy Also we’ll show you how to configure Squid

as a proxy-caching server to be able to let all users in your corporate network use Squid to access the Internet

These installation instructions assume

Commands are Unix-compatible

The source path is “/var/tmp” (other paths are possible)

Installations were tested on Red Hat Linux 6.1 and 6.2

All steps in the installation will happen in super-user account “root”

Squid version number is 2.3.STABLE2

It is a good idea to make a list of files on the system before you install Squid, and one afterwards,

and then compare them using ‘diff’ to find out what file it placed where Simply run ‘find /* >

Squid1’ before and ‘find /* > Squid2’ after you install the software, and use ‘diff Squid1 Squid2

> Squid-Installed’ to get a list of what changed

Compilation

Decompress the tarball (tar.gz)

[root@deep /]# cp squid-version.STABLEz-src.tar.gz /var/tmp

[root@deep tmp]# tar xzpf squid-version.STABLEz-src.tar.gz

Trang 15

[root@deep /]# useradd -d /cache/ -r -s /dev/null squid >/dev/null 2>&1

[root@deep /]# mkdir /cache/

[root@deep /]# chown -R squid.squid /cache/

First of all, we add the user “squid” to the “/etc/passwd” file Then, we create the “/cache”

directory if this directory doesn’t exist (and only if it doesn’t exist) Finally, we change the owner of the directory “cache” to be the user “squid”

NOTE: Usually we don’t need to perform the command (mkdir /cache/) because we have already

created this directory when we partitioned our hard drive during the installation of Linux If this partition doesn’t exist, you must execute this command to create the directory

Step 2

Move into the new Squid directory and type the following commands on your terminal:

Edit the Makefile.in file (vi +18 icons/Makefile.in) and change the line:

DEFAULT_ICON_DIR = $(sysconfdir)/icons

To read:

DEFAULT_ICON_DIR = $(libexecdir)/icons

We change the variable (sysconfdir) to be (libexecdir) With this modification, the “icons” directory

of Squid will be located under the “/usr/lib/squid” directory

Edit the Makefile.in file (vi +34 src/Makefile.in) and change the lines:

Trang 16

CHAPTER 8

We change the default location of “cache.log”, “access.log”, and “store.log” files to be located under “/var/log/squid” directory Then, we put the pid file of Squid under “/var/run” directory, and finally, locate the “icons” directory of Squid under “/usr/lib/squid/icons” with the variable

(libexecdir) above

Using GNU malloc library to improve cache performance of Squid

If you're suffering from memory limitations on your system, the cache performance of Squid will

be affected To reduce this problem, you can link Squid with an external malloc library such as GNU malloc To make Squid use GNU malloc as an external library, follows these simple steps:

Packages

GNU malloc Homepage: http://www.gnu.org/order/ftp.html

You must be sure to download: malloc.tar.gz

[root@deep /]# cp malloc.tar.gz /var/tmp

[root@deep malloc]# export CC=egcs

[root@deep malloc]# make

Step 2

Copy the “libmalloc.a” file to your system library directory and be sure to name it “libgnumalloc.a”

[root@deep malloc]# cp libmalloc.a /usr/lib/libgnumalloc.a

Step 3

Copy the “malloc.h” file to your system’s include directory and be sure to name it “gnumalloc.h”

[root@deep malloc]# cp malloc.h /usr/include/gnumalloc.h

With the files “libgnumalloc.a” and “gnumalloc.h” installed on your system, Squid will detect them

automatically during its compile time, and will use them to improve its cache performance

Compile and Optimize

Trang 17

This tells Squid to set itself up for this particular hardware setup with these options:

- Use the delay pools feature of Squid to limit and control bandwidth usage for users

- Use Cache Digests to improve client response time and network utilization

- Enable poll() instead of select() since it’s preferred over select

- Disable ident-lookups to remove code that performs Ident (RFC 931) lookups and reduce possible denial-of-service

- Enable truncate to glean some performance improvements when removing cached files

- Use the heap-replacement feature of Squid to have the choice of various cache replacement algorithms, instead of the standard LRU algorithm for better performance See below for a more detailed explanation

Step 2

Now, we must compile and install Squid on the server:

[root@deep squid-2.3.STABLE2]# make -f makefile

[root@deep squid-2.3.STABLE2]# make install

[root@deep squid-2.3.STABLE2]# mkdir -p /var/log/squid

[root@deep squid-2.3.STABLE2]# rm -rf /var/logs/

[root@deep squid-2.3.STABLE2]# chown squid.squid /var/log/squid/

[root@deep squid-2.3.STABLE2]# chmod 750 /var/log/squid/

[root@deep squid-2.3.STABLE2]# chmod 750 /cache/

[root@deep squid-2.3.STABLE2]# rm -f /usr/sbin/RunCache

[root@deep squid-2.3.STABLE2]# rm -f /usr/sbin/RunAccel

[root@deep squid-2.3.STABLE2]# strip /usr/sbin/squid

[root@deep squid-2.3.STABLE2]# strip /usr/sbin/client

[root@deep squid-2.3.STABLE2]# strip /usr/lib/squid/dnsserver

[root@deep squid-2.3.STABLE2]# strip /usr/lib/squid/unlinkd

[root@deep squid-2.3.STABLE2]# strip /usr/lib/squid/cachemgr.cgi

The “make -f” command will compile all source files into executable binaries, and “make install” will install the binaries and any supporting files into the appropriate locations The “mkdir”

command will create a new directory named “squid” under “/var/log” The “rm -rf” command will

remove the “/var/logs” directory since this directory has been created to handle the log files

related to Squid that we have moved to the “/var/log/squid” location The “chown” will change the owner of “/var/log/squid” to be the user squid, and the “chmod” command will make the mode of

“squid” and “cache” directories (0750/drwxr-x -) for security reasons

Take note that we remove the small scripts named “RunCache” and “RunAccel” which start Squid

in either caching mode or accelerator mode, since we use a better script named “squid” located

under the “/etc/rc.d/init.d/” directory that takes advantage of Linux system V The “strip”

command will reduce the size of binaries for optimum performance

Cleanup after work

[root@deep tmp]# rm -rf squid-version/ squid-version.STABLEz-src.tar.gz

Trang 18

CHAPTER 8 [root@deep tmp]# rm -rf malloc/ malloc.tar.gz (if you used the GNU malloc external library)

The “rm” command will remove all the source files we have used to compile and install Squid and

GNU malloc It will also remove the Squid and GNU malloc compressed archive from the

“/var/tmp” directory

Configurations

All software we describe in this book has a specific directory and subdirectory in a tar

compressed archive named “floppy.tgz” containing file configurations for specific programs If you get this archive file, you won’t be obliged to reproduce the different configuration files below, manually, or cut and paste them to create your configuration files Whether you decide to

manually copy them, or get the files made for your convenience from the archive, it will be your responsibility to modify, adjust for your needs and place the files related to the Squid software in the appropriate places on your server, as shown below The server configuration files archive to download is located at the following Internet address: http://www.openna.com/books/floppy.tgz

• To run Squid server in httpd-accelerator mode, the following files are required and must

be created or copied to the appropriate directories on your server

Copy the squid.conf file in the “/etc/squid/” directory

Copy the squid script file in the “/etc/rc.d/init.d/” directory

Copy the squid file in the “/etc/logrotate.d/” directory

• To run Squid server in proxy-caching mode, the following files are required and must be created or copied to the appropriate directories on your server

Copy the squid.conf file in the “/etc/squid/” directory

Copy the squid script file in the “/etc/rc.d/init.d/” directory

Copy the squid file in the “/etc/logrotate.d/” directory

You can obtain the configuration files listed below on our floppy.tgz archive Copy the following files from the decompressed floppy.tgz archive to the appropriate places or copy and paste them directly from this book to the concerned file

Configuration of the “/etc/squid/squid.conf” file as a httpd-accelerator mode

The “squid.conf” file is used to set and configure all the different options for your Squid proxy server In the configuration file below, we’ll configure the “/etc/squid/squid.conf” file to be in httpd-accelerator mode In this acceleration mode, if the Web Server runs on the same server where Squid is installed, you must set its daemon to run on port 81 With the Apache web server, you can do it by assign the line (Port 80) to (Port 81) in its “httpd.conf” file If the Web Server runs on other servers in your network like we do, you can keep the same port number (80) for Apache, since Squid will bind on a different IP number where port (80) is not already in use

Trang 19

CHAPTER 8

Edit the squid.conf file (vi /etc/squid/squid.conf) and add/change the following options:

http_port 80

icp_port 0

acl QUERY urlpath_regex cgi-bin \?

no_cache deny QUERY

The option “http_port” specifies the port number where Squid will listen for HTTP client requests

If you set this option to port 80, the client will have the illusion of being connected to the Apache Web Server Since we are running Squid in accelerator mode, we must listen on port 80

icp_port 0

The option “icp_port” specifies the port number where Squid will sends and receive ICP requests from neighboring caches We must set the value of this option to 0 to disable it, since we are configuring Squid to be in accelerator mode for the Web Server The ICP feature is needed only

in a multi-level cache environment with multiple siblings and parent caches Using ICP in an accelerator mode configuration would add unwanted overhead to Squid

acl QUERY urlpath_regex cgi-bin \? and no_cache deny QUERY

The options “acl QUERY urlpath_regex cgi-bin \? and no_cache deny QUERY” are used to force certain objects to never be cached, like files under “cgi-bin” directory This is a security feature

cache_mem 16 MB

The option “cache_mem” specifies the amount of memory (RAM) to be used for caching the so called: In-Transit objects, Hot Objects, Negative-Cached objects This is an optimization feature

Trang 20

CHAPTER 8

It’s important to note that Squid can uses much more memory than the value you specify in this parameter, and for this reason, if you have 48 MB free for Squid, you must put 48/3 = 16 MB here

cache_dir ufs /cache 200 16 256

The option “cache_dir” specifies in order: which kind of storage system to use (ufs), the name of the cache directory (/cache) for Squid, the disk space in megabytes to use under this directory (200 Mbytes), the number of first-level subdirectories to be created under the cache directory (16 Level-1), and the number of second-level subdirectories to be created under each first-level cache directory (256 Level-2) In accelerator mode, this option is directly related to the size and number of files that you want to serve with your Apache web server

emulate_httpd_log on

The option “emulate_httpd_log”, if set to “ON”, specifies that Squid should emulate the log file format of the Apache web server This is very useful if you want to use a third party program like Webalizer to analyze the Web Server (httpd) log file

redirect_rewrites_host_header off

The option “redirect_rewrites_host_header”, if set to “OFF”, tells Squid to not rewrites any Host: header in redirected requests It’s recommended to set this option to “OFF” if you are running Squid in accelerator mode

replacement_policy GDSF

The option “replacement_policy” specifies the cache policy Squid will use to determine which objects in the cache must be replaced when the proxy need to make disk space The Squid LRU policy is used by default if you have not specified the “ enable-heap-replacement” option during compile time In our configuration, we choose the GDSF (Greedy-Dual Size Frequency) policy as our default policy See http://www.hpl.hp.com/techreports/1999/HPL-1999-69.html and

http://fog.hpl.external.hp.com/techreports/98/HPL-98-173.html for more information

acl all src 0.0.0.0/0.0.0.0 and http_access allow all

The options “acl” and “http_access” specify and define an access control list to be applied on the proxy server Squid Our “acl” and “http_access” options are not restricted, and allow every one to connect on the proxy server since we use this proxy to accelerate the public Apache Web Server See your Squid documentation for more information when using Squid in non-accelerator mode

cache_mgr admin

The option “cache_mgr” specify the email-address of the administrator responsible for the Squid proxy server This person is the one who will receive mail if Squid encounter problems You can specify the name or the complete email address in this option

cache_effective_user squid and cache_effective_group squid

The options “cache_effective_user” and “cache_effective_group” specify the UID/GID that the cache will run on Don’t forget to never run Squid as “root” In our configuration we use the UID

“squid” and the GID “squid”

httpd_accel_host 208.164.186.3 and httpd_accel_port 80

The options “httpd_accel_host” and “httpd_accel_port” specify to Squid the IP address and port number where the real HTTP Server (i.e Apache) is In our configuration, the real HTTP Web Server is on the IP address 208.164.186.3 (www.openna.com) and on port (80)

“www.openna.com” is another host name on our network, and since the Squid Proxy Server doesn’t reside on the same host of Apache HTTP Web Server, we can use port (80) for our Squid Proxy Server, and port (80) for our Apache Web Server, and the illusion is perfect

log_icp_queries off

Trang 21

CHAPTER 8

The option “log_icp_queries” specifies if you want ICP (ICP is used to exchange hints about the existence of URLs in neighbor caches) queries to be logged to the “access.log” file or not Since

we don’t use the ICP feature in Squid accelerator mode, we can safely set this option to “OFF”

cachemgr_passwd my-secret-pass all

The option “cachemgr_passwd” specifies a password that will be required for accessing the operations of the “cachemgr.cgi” program utility This CGI utility program is designed to run through a web interface and outputs statistics about the Squid configuration and performance The <my-secret-pass> is the password that you have chosen, and the keyword <all> specifies to set this password to be the same for all actions you can perform with this program See “The cachemgr.cgi program utility of Squid”, below in this chapter for more information

buffered_logs on

The option “buffered_logs”, if turned “ON”, can speed up the writing of some log files slightly This

is an optimization feature

Configuration of the “/etc/squid/squid.conf” file as a proxy-caching mode

With some minor modification to the “squid.conf” file we have defined above to run in accelerator mode, we can run Squid as a proxy-caching server With a proxy cache server, all users in your corporate network use Squid to access the Internet With this configuration, you can have complete control, and apply special policies on what can be viewed, accessed, and

httpd-downloaded You can also control bandwidth usage, connection time, and so on A proxy cache server can be configured to run as stand-alone server for your corporation, or to use and share caches hierarchically with other proxy servers around the Internet

With the first example below we show you how to configure Squid as a stand-alone server, and then speak a little bit about a cache hierarchy configuration, where two or more proxy-cache servers cooperate by serving documents to each other

Edit the squid.conf file (vi /etc/squid/squid.conf) and add/change the following options for proxy

cache that run as a stand-alone server:

http_port 8080

icp_port 0

acl QUERY urlpath_regex cgi-bin \?

no_cache deny QUERY

cache_mem 16 MB

cache_dir ufs /cache 200 16 256

Trang 22

acl Safe_ports port 80 443 210 119 70 21 1025-65535

acl CONNECT method CONNECT

acl all src 0.0.0.0/0.0.0.0

http_access allow localnet

http_access allow localhost

http_access deny !Safe_ports

http_access deny CONNECT

http_access deny all

acl name type data

| | | |

acl some-name src a.b.c.d/e.f.g.h # ACL restrict access based on source IP address

acl some-name dst a.b.c.d/e.f.g.h # ACL restrict access based on destination IP address acl some-name srcdomain foo.com # ACL restrict access based on source domain

acl some-name dstdomain foo.com # ACL restrict access based on destination domain

As an example, to restrict access to your Squid proxy server to only your internal clients, and to a specific range of designated ports, something like the following will make the job:

acl localnet src 192.168.1.0/255.255.255.0

acl localhost src 127.0.0.1/255.255.255.255

acl Safe_ports port 80 443 210 119 70 21 1025-65535

acl CONNECT method CONNECT

acl all src 0.0.0.0/0.0.0.0

http_access allow localnet

http_access allow localhost

http_access deny !Safe_ports

http_access deny CONNECT

http_access deny all

This acl configuration will allow all internal clients from the private class C 192.168.1.0 to access the proxy server; it’s also recommended that you allow the localhost IP (a special IP address used by your own server) to access the proxy After we choose a range of ports (80=http,

443=https, 210=wais, 119=nntp, 70=gopher, and 21=ftp) which our internal clients can use to access the Internet, we deny the CONNECT method to prevent outside people from trying to connect to the proxy server, and finally, we deny all source IP address and ports on the proxy server

Multi-level Web Caching

The second method of proxy cache is the so-called “Multi-level Web Caching” where you choose

to share and cooperate with more proxy-cache servers on the Internet With this method, your organization uses the cache of many others proxy cache servers, and to compensate, the other

Trang 23

CHAPTER 8

cache server can use yours It’s important to note that in this situation, the proxy cache can play

two different roles in the hierarchy It can be configured to be a sibling cache, and be able to only serve documents it already has, or it can be configured as a parent cache, and be able to get

documents from another cache or from the source directly

NOTE: A good strategy to avoid generating more network traffic than without web caching is to

choose to have several sibling caches and only a small number of parent caches

Configuration of the “/etc/rc.d/init.d/squid” script file for all kind of configuration

Configure your “/etc/rc.d/init.d/squid” script file to start and stop the Squid Internet Object Cache This script has been modified to setup swap cache for Squid in “/cache” instead of

“/var/spool/squid”

Create the squid script file (touch /etc/rc.d/init.d/squid) and add:

#!/bin/bash

# squid This shell script takes care of starting and stopping

# Squid Internet Object Cache

#

# chkconfig: - 90 25

# description: Squid - Internet Object Cache Internet object caching is \

# a way to store requested Internet objects (i.e., data available \

# via the HTTP, FTP, and gopher protocols) on a system closer to the \

# requesting site than to the source Web browsers can then use the \

# local Squid cache as a proxy HTTP server, reducing access time as \

# well as bandwidth consumption

# pidfile: /var/run/squid.pid

# config: /etc/squid/squid.conf

Trang 24

# Check that networking is up

[ ${NETWORKING} = "no" ] && exit 0

# check if the squid conf file is present

[ -f /etc/squid/squid.conf ] || exit 0

# determine the name of the squid binary

[ -f /usr/sbin/squid ] && SQUID=squid

[ -z "$SQUID" ] && exit 0

# determine which one is the cache_swap directory

CACHE_SWAP=`sed -e 's/#.*//g' /etc/squid/squid.conf | \

grep cache_dir | sed -e 's/cache_dir//' | \

cut -d ' ' -f 2`

[ -z "$CACHE_SWAP" ] && CACHE_SWAP=/cache

# default squid options

# -D disables initial dns checks If you most likely will not to have an

# internet connection when you start squid, uncomment this

#SQUID_OPTS="-D"

RETVAL=0

case "$1" in

start)

echo -n "Starting $SQUID: "

for adir in $CACHE_SWAP; do

echo -n "Stopping $SQUID: "

$SQUID -k shutdown &

Định dạng
Số trang	48
Dung lượng	849,59 KB